Monitoring the traffic using Wireshark during the pairing process revealed:

- The initial connection is made on port 8257 - To start the pairing process, the same sequence is sent each time - After the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted - After the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session - On the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second)

## Abusing The Protocol to Record Audio

With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion.

This script establishes a connection to the baby monitor and begins to dump out the data from port 8257 to dump.heartbeat.bin and the data from port 8258 to dump.data.bin.

Replaying the Recordings In order to replay the recordings made by the proof of concept, I created a second script which would act as a baby monitor and replay the data back to a client; which allows for replay via the original application:

2018-02-11: Initial contact with vendor to make them aware of the attack vector 2018-02-12: Vendor acknowledged the issue and provided keys to test the premium version to verify the encryption and password protection would resolve the issue 2018-02-15: Confirmation sent to vendor to let them know the proposed solution should nullify the attack 2018-02-16: Vendor begins roll-out process for the new update 2018-02-22: Roll-out process completed and version 2.02.2 made available to the public

MikroTik RouterOS is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.Versions prior to RouterOS 6.41.3 and 6.42rc27 are vulnerable.